def observable_pe(self, observable):
extension = observable['1']['extensions']['windows-pebinary-ext']
sections = extension['sections']
pe = MISPObject('pe')
pe_uuid = str(uuid.uuid4())
pe.uuid = pe_uuid
self.fill_object_attributes_observable(pe, pe_mapping, extension)
for section in sections:
pe_section = MISPObject('pe-section')
if 'hashes' in section:
for h_type, h_value in section['hashes'].items():
h_type = h_type.lower().replace('-', '')
pe_section.add_attribute(
**{
'type': h_type,
'object_relation': h_type,
'value': h_value,
'to_ids': False
})
self.fill_object_attributes_observable(pe_section,
pe_section_mapping, section)
section_uuid = str(uuid.uuid4())
pe_section.uuid = section_uuid
pe.add_reference(section_uuid, 'included-in')
self.misp_event.add_object(**pe_section)
self.misp_event.add_object(**pe)
return observable_file(observable), pe_uuid
def __build_misp_event(self, attribute_indexes, object_indexes):
score = self.__get_score()
if object_indexes:
objects = {}
id_name = 'object_id' if 'object_id' in self.header else 'object_uuid'
object_id_index = self.header.index(id_name)
name_index = self.header.index('object_name')
for line in self.data:
attribute = self.__score_mapping[score](line, attribute_indexes)
object_id = line[object_id_index]
if object_id:
if object_id not in objects:
misp_object = MISPObject(line[name_index])
if id_name == 'object_uuid':
misp_object.uuid = object_id
objects[object_id] = misp_object
objects[object_id].add_attribute(**attribute)
else:
self.event.add_attribute(**attribute)
for misp_object in objects.values():
self.misp_event.add_object(**misp_object)
else:
for line in self.data:
attribute = self.__score_mapping[score](line, attribute_indexes)
self.misp_event.add_attribute(**attribute)
def handle_process(self, properties):
attributes = []
if properties.creation_time:
attributes.append(["datetime", properties.creation_time.value, "creation-time"])
if properties.start_time:
attributes.append(["datetime", properties.creation_time.value, "start-time"])
attribute_type = "text"
if properties.name:
attributes.append([attribute_type, properties.name.value, "name"])
if properties.pid:
attributes.append([attribute_type, properties.pid.value, "pid"])
if properties.parent_pid:
attributes.append([attribute_type, properties.parent_pid.value, "parent-pid"])
if properties.child_pid_list:
for child in properties.child_pid_list:
attributes.append([attribute_type, child.value, "child-pid"])
# if properties.port_list:
# for port in properties.port_list:
# attributes.append(["src-port", port.port_value.value, "port"])
if properties.network_connection_list:
references = []
for connection in properties.network_connection_list:
object_name, object_attributes, _ = self.handle_network_connection(connection)
object_uuid = str(uuid.uuid4())
misp_object = MISPObject(object_name)
misp_object.uuid = object_uuid
for attribute in object_attributes:
misp_object.add_attribute(**attribute)
references.append(object_uuid)
return "process", self.return_attributes(attributes), {"process_uuid": references}
return "process", self.return_attributes(attributes), ""
def pattern_pe(self, pattern):
attributes = []
sections = defaultdict(dict)
pe = MISPObject('pe')
pe_uuid = str(uuid.uuid4())
pe.uuid = pe_uuid
for p in pattern:
p_type, p_value = p.split(' = ')
p_value = p_value[1:-1]
if ':extensions.' in p_type:
if '.sections[' in p_type:
p_type_list = p_type.split('.')
stix_type = "hashes.{}".format(p_type_list[4][1:-1]) if '.hashes.' in p_type else p_type_list[3]
sections[p_type_list[2]][stix_type] = p_value
else:
stix_type = p_type.split('.')[-1]
mapping = pe_mapping[stix_type]
pe.add_attribute(**{'type': mapping['type'], 'object_relation': mapping['relation'],
'value': p_value, 'to_ids': True})
else:
if 'file:hashes.' in p_type :
_, h = p_type.split('.')
h = h[1:-1]
attributes.append({'type': h, 'object_relation': h, 'value': p_value, 'to_ids': True})
else:
mapping = file_mapping[p_type]
attributes.append({'type': mapping['type'], 'object_relation': mapping['relation'],
'value': p_value, 'to_ids': True})
for _, section in sections.items():
pe_section = MISPObject('pe-section')
for stix_type, value in section.items():
if 'hashes.' in stix_type:
h_type = stix_type.split('.')[1]
pe_section.add_attribute(**{'type': h_type, 'object_relation': h_type,
'value': value, 'to_ids': True})
else:
mapping = pe_section_mapping[stix_type]
pe_section.add_attribute(**{'type': mapping['type'], 'object_relation': mapping['relation'],
'value': value, 'to_ids': True})
section_uuid = str(uuid.uuid4())
pe_section.uuid = pe_uuid
pe.add_reference(section_uuid, 'included-in')
self.misp_event.add_object(**pe_section)
self.misp_event.add_object(**pe)
return attributes, pe_uuid
def handle_object_case(self, attribute_type, attribute_value, compl_data, object_uuid=None):
misp_object = MISPObject(attribute_type)
if object_uuid:
misp_object.uuid = object_uuid
for attribute in attribute_value:
misp_object.add_attribute(**attribute)
if type(compl_data) is dict and "pe_uuid" in compl_data:
# if some complementary data is a dictionary containing an uuid,
# it means we are using it to add an object reference
misp_object.add_reference(compl_data['pe_uuid'], 'included-in')
self.misp_event.add_object(**misp_object)
def _create_new_misp_object(self, values: tuple, obj_uuid: str,
misp_event: MISPEvent):
""" Creates new MISP object with sighting on src ip. """
attrs = {
'ip-src': values[0],
'ip-dst': values[1],
'dst-port': values[2]
}
misp_obj = MISPObject(name="ip-port", strict=True)
for attr_name, value in attrs.items():
# TODO add concrete uuid to the attribute?
misp_obj.add_attribute(object_relation=attr_name, value=value)
misp_obj.uuid = obj_uuid
res = self.misp_inst.add_object(misp_event, misp_obj, pythonify=True)
self.logger.debug(f"Result of creating new misp object: {res}!")